Forked from jimsmith/aws-cross-over-policies-snippet.txt
Created
January 22, 2016 14:25
-
-
Save sharmaansh21/4aa9aed1c2797739f2ec to your computer and use it in GitHub Desktop.
aws-cross-over-policies-snippet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| e.g Scenario AWS Dev Account: 111111111111 (ec2 instance) to access s3 service in PROD Account: 222222222222 | |
| This is account that has ec2 instance: DEV | |
| IAM User: test | |
| Inline policy: | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "sts:AssumeRole" | |
| ], | |
| "Resource": "arn:aws:iam::222222222222:role/PROD-EC2-CrossAccountRole" | |
| } | |
| ] | |
| } | |
| Prod AWS Account -> Roles: PROD-EC2-CrossAccountRole | |
| Role ARN arn:aws:iam::111111111111:role/PROD-EC2-CrossAccountRole | |
| Instance Profile ARN(s): arn:aws:iam::111111111111:instance-profile/PROD-EC2-CrossAccountRole | |
| Trust Relationships Policy | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "AWS": "arn:aws:iam::222222222222:root" | |
| }, | |
| "Action": "sts:AssumeRole", | |
| "Condition": { | |
| "Bool": { | |
| "aws:MultiFactorAuthPresent": false | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| Policy attached to above Role: | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:ListBucket", | |
| "s3:GetObjectAcl", | |
| "s3:GetBucketAcl", | |
| "s3:GetBucketLocation", | |
| "s3:ListBucketMultipartUploads" | |
| ], | |
| "Resource": "arn:aws:s3:::name-of-my-bucket", | |
| "Condition": {} | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:AbortMultipartUpload", | |
| "s3:DeleteObject", | |
| "s3:DeleteObjectVersion", | |
| "s3:GetObject", | |
| "s3:GetObjectAcl", | |
| "s3:GetBucketAcl", | |
| "s3:GetObjectVersion", | |
| "s3:GetObjectVersionAcl", | |
| "s3:PutObject", | |
| "s3:PutObjectAcl", | |
| "s3:PutObjectAclVersion" | |
| ], | |
| "Resource": "arn:aws:s3:::name-of-my-bucket/*", | |
| "Condition": {} | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": "s3:ListAllMyBuckets", | |
| "Resource": "*", | |
| "Condition": {} | |
| } | |
| ] | |
| } | |
| AWS CLI used to see if works | |
| aws sts assume-role --role-arn "arn:aws:iam::222222222222:role/PROD-EC2-CrossAccountRole" --role-session-name "test" | |
| A client error (AccessDenied) occurred when calling the AssumeRole operation: User: arn:aws:iam::111111111111:user/test is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::222222222222:role/PROD-EC2-CrossAccountRole | |
| From rdark in ##AWS IRC after removing MFA from trust policy :) | |
| { | |
| "AssumedRoleUser": { | |
| "AssumedRoleId": "SCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-ME:test", | |
| "Arn": "arn:aws:sts::222222222222:assumed-role/PROD-EC2-CrossAccountRole/test" | |
| }, | |
| "Credentials": { | |
| "SecretAccessKey": "SCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-ME", | |
| "SessionToken": "SCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-MESCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-MESCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-MESCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-MESCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-MESCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-MESCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-ME==", | |
| "Expiration": "2015-06-29T16:57:19Z", | |
| "AccessKeyId": "SCRAMBLED-EGGS-FOR-BREAKFAST-HIDE-ME" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment